If we have two physical firewalls they both can do active forwarding of traffic. Active/Active which require multiple mode on ASA in which some of the contexts are actively forwarded by physical firewall 1 and rest of the contexts are actively forwarded by another physical firewall 2.
Multiple mode HA, with load sharing
Failover groups (1 and 2)
Assigning a context to a group
Standard failover config
Hierarchy of virtual firewall
System Config
- Ctx-1
-Ctx-2 and so on ..
For Active/Active failover we need to create some groups.
For failover, we will create two failover groups. Failover group 1 and failover group 2
We have two ASA’s on failover setup. ASA1 as primary and ASA2 as secondary
We will configure ASA1 to be active ASA for failover group 1 and ASA2 to be active ASA for failover group 2
By default ctx-1 and ctx-2 are part of failover group 1. so we will ask ctx-1 to be part of failover group1 and ctx-2 to be part of failover group 2.
This means ASA1 is active for ctx-1 and ASA2 is active for ctx-2. This is the concept of load-sharing. traffic from user1 will be forwarded by ctx-1 and traffic from user2 will be forwarded by ctx-2. Make sure that each context is sharing 50% or less load out of total.
At this point of time we have ctx-1 and ctx-2 configured on ASA1. Also ASA1 and ASA2 are cabled but ASA2 config is empty.
Rem: when both devices boots up at the same time if they are configured correctly, the primary device will be active for ctx-1 and secondary device will be active for ctx-2. When a secondary device fails, the primary device will be active for both contexts. When the secondary device comes up, its see other device as active as assign itself as standby. By default, there is no pre-emption. We can configure pre-empt on secondary device so that when it comes up, it assign its right role of active for ctx-2. Same is true for primary device. when it goes down, secondary device will become active for both contexts and when it comes up it will be in standby state if we don't configure pre-empt. If we configure pre-empt on the primary device, after it comes up it will take the rightful role as configured before it went down.
Active/Active Failover Pre-requisites:
Verify both appliances have the same hardware
Verify that both appliances are properly Licensed.
Verify the appliances have identical s/w config.
Connect the devices together and to their networks in their failover LAN cable config and verify connectivity.
Configure the secondary appliance for https ip connectivity.
On ASA1 execute:
show context
changeto context ctx-1
show xlate
show conn
It will display the details since we are already connected from PC to browser.
Note: where to implement the failover config :
ASA1/ctx-1(config)# changeto system
ASA1(config)#
##Starting on the unit that will be PRIMARY, and with multiple mode and context already in place
## Create the first of the two failover groups
failover group 1
## Tell the failover system that the PRIMARY unit should be active in any contexts in this “failover group #1”
primary
# Optionally, tell the system to take over the active role 2 minutes after the reboot by the primary unit of this group
preempt 120
exit
## Do the same for failover group 2
failover group 2
## Tell the failover system that the SECONDARY unit should be active in any contexts in this “failover group #2”
secondary
## Request a preempt 2 minutes after reboot by the secondary unit for this group
preempt 120
exit
## Now tell the system that each of the contexts is assigned to 1 of the 2 failover groups
## execute this in system context
context Ctx-1
join-failover-group 1
exit
context Ctx-2
join-failover-group 2
exit
## Now we need to tell ASA what the failover links are :
# Prepare the failover interfaces (the LAN failover and stateful link )
int g4
no shut
int g5
no shut
## Tell physical box ASA1 its priority or title (Primary or secondary) . This priority (name) never changes for this physical unit.
Execute in system context
failover lan unit primary
## Configure the names and IP address for the 2 failover connections
ASA1(config)# failover lan interface fail-config g4
failover link fail-state g5
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
Rem: link is for stateful link
### Set the prompt to include which context if any we are working in. Currently, we are in the system (top level) configuration area.
ASA1(config)#prompt hostname context
## Change from the system execution space to the context of ctx-1 in order to add the standby address
changeto context Ctx-1
interface g1
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
exit
Lets optionally add MAC address on the shared interfaces for this context. Since both interfaces on the same broadcast domain.
mac-address cc1e.6783.1111 standby cc1e.6783.2222
##Now the IP for outside interface on Ctx-1
ip address 192.168.1.171 255.255.255.0 standby 192.168.1.181
## Move to Ctx-2 and standby address for the virtual fw
ASA1/Ctx-1(config-if)#changeto context Ctx-2
conf t
interface ctx2_inside
ip address 10.2.2.1 255.255.255.0 standby 10.2.2.2
exit
interface ctx2_outside
mac-address cc1e.6783.3333 standby cc1e.6783.4444
ip address 192.168.1.172 255.255.255.0 standby 192.168.1.182
## Move back to the system execution space
changeto system
## Turn on failover
failover
## save the system config, and all the contexts individual configs at the same time.
write mem all
## ASA1 is seeing if there is an active failover device for the 2 groups and when it see’s that there isn’t one it will active for both groups
Execute
show failover state
We can see ASA1 is active for both groups 1 and 2
Other host is not detected since it is not yet configured .
# Move over to ASA2. Verify that it is in multiple modes which is required to be used for active/active AND this ASA2 has to match the same mode as ASA1
show mode
it should be multiple
delete any .cfg files if already present
dir *.cfg
del *.cfg
##Now we want to replicate the configuration along with .cfg files from ASA1 to ASA2
## tell ASA2 that it will be secondary unit the failover group
failover lan unit secondary
## Make sure failover interfaces are up
int g4
no shut
## Define failover interfaces names and IP's
ciscoasa #failover lan interface fail-config g4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
Note: lan interfaces don’t swap ip address.
## Turn on the feature
failover
# Now config replication will happen. Now the prompt got changed from ciscoasa to ASA1
ASA1(config)#
Execute show context. this will have both Ctx-1 and Ctx-2
show failover state
Initial output :
This host - secondary
group 1 standby ready
group 2 standby ready
other host - primary
group 1 Active
group 2 Active
Since already primary is active for both contexts, secondary becomes standby for both contexts.
We have configure pre-empt of 120 sec. Wait for 120 sec and execute show failover state
Final output: now right roles are assigned.
This host - secondary
group 1 standby ready
group 2 Active
other host - primary
group 1 Active
group 2 standby ready
Lets change the actual prompt . Go to primary
## By default the ASA who is active for group1 is also active in the system configuration
ASA1(config) # prompt hostname priority context state
Let's verify primary traffic is still flowing through
ASA1/pri/Ctx-1/act # show conn
show xlate
show conn
Final result :
ASA1 primary is active for failover grp1 which is assigned ctx-1
ASA2 secondary is active for failover grp2 which is assigned ctx-2
This is also called load sharing.
On ASDM :
Device List -> System -> Config -> Device Mgmt -> HA
Say if we want primary host to be active for both groups 1 and 2
ASA1/pri/Ctx-1/act # failover active group 2
#show failover state
a primary is active for both groups
No comments:
Post a Comment